VULNERABILITIES \ FIXES - October 27, 2008

Release Date: 2008-10-27

Critical:
Moderately critical
Impact: Security Bypass
System access

Where: From remote
Solution Status: Vendor Patch


Software: KTorrent 3.x

Description:
Some vulnerabilities have been discovered in KTorrent, which can be exploited by malicious users to compromise a vulnerable system and malicious people to bypass certain security restrictions.

Solution:
Update to version 3.1.4.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://ktorrent.org/?q=node/23

Release Date: 2008-10-27

Critical:
Less critical
Impact: Cross Site Scripting
Privilege escalation

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 8

Description:
Fedora has issued an update for drupal. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and by malicious users to conduct script insertion attacks.

Solution:
Apply updated packages via the yum utility ("yum update drupal").

Original Advisory:
FEDORA-2008-9170:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00783.html

Other References:
SA32297:
http://secunia.com/Advisories/32297/

SA32389:
http://secunia.com/Advisories/32389/

Release Date: 2008-10-27

:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Vendor Patch


Software: Red Hat Enterprise Linux Extras v. 4
RHEL Desktop Supplementary (v. 5 client)
RHEL Supplementary (v. 5 server)

Description:
Red Hat has issued an update for java-1.5.0-ibm. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions.

For more information:
SA31010

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
https://rhn.redhat.com/errata/RHSA-2008-0891.html

Other References:
SA31010:
http://secunia.com/advisories/31010/

Release Date: 2008-10-27

Critical:
Highly critical
Impact: Security Bypass
Exposure of system information
Exposure of sensitive information
DoS
System access

Where: From remote
Solution Status: Vendor Patch


Software: Red Hat Enterprise Linux Extras v. 4
RHEL Desktop Supplementary (v. 5 client)
RHEL Supplementary (v. 5 server)

Description:
Red Hat has issued an update for java-1.6.0-ibm. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, disclose system information or potentially sensitive information, cause a DoS (Denial of Service), or compromise a vulnerable system.

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
https://rhn.redhat.com/errata/RHSA-2008-0906.html

Other References:
SA31010:
http://secunia.com/advisories/31010/

Release Date: 2008-10-27

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: iPei Guestbook 2.x

Description:
Ghost Hacker has discovered a vulnerability in iPei Guestbook, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "pg" parameter in index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session, in the context of an affected site.

This vulnerability is confirmed in version 2.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Ghost Hacker

Release Date: 2008-10-27

Critical:
Moderately critical
Impact: Unknown
DoS

Where: From remote
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid



Description:
Debian has issued an update for clamav. This fixes some vulnerabilities, where some have an unknown impact and others can potentially be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerabilities are caused due to unspecified errors related to file descriptor leaks, NULL pointer dereferences, and memory leaks.

Solution:
Apply updated packages.

Original Advisory:
DSA-1660-1:
http://www.us.debian.org/security/2008/dsa-1660

Other References:
SA31725:
http://secunia.com/advisories/31725/

Release Date: 2008-10-27

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Unpatched


Software: JHead 2.x

Description:
A security issue has been reported in JHead, which can be exploited by malicious, local users to gain escalated privileges.

The security issue is caused due to the "DoCommand()" function improperly sanitising filenames before using them in a call to "system()". This can be exploited to execute arbitrary commands with escalated privileges by tricking a user into using the "-cmd" argument to process a file having a specially crafted filename.

The security issue is reported in version 2.84. Other versions may also be affected.

Solution:
Do not process untrusted files using the "-cmd" argument.

Provided and/or discovered by:
Reported by John **** in an Ubuntu bug report.

Original Advisory:
https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/271020

http://www.openwall.com/lists/oss-security/2008/10/16/3

Release Date: 2008-10-27

Critical:
Not critical
Impact: DoS

Where: From remote
Solution Status: Vendor Workaround


Software: libpng 1.x

Description:
A vulnerability has been reported in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a memory leak error within the "png_handle_tEXt()" function in pngrutil.c. This can be exploited to potentially exhaust all available memory via a specially crafted PNG image.

The vulnerability is reported in version 1.2.32. Other versions may also be affected.

Solution:
Fixed in version 1.2.33rc02.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sourceforge.net/project/shownotes.php?release_id=635463&group_id=5624

Release Date: 2008-10-27

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


Software: NEPT Image Uploader

Description:
Dentrasi has discovered a vulnerability in NEPT Image Uploader, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to the script insufficiently verifying the type of uploaded files, which can be exploited to e.g. upload and execute PHP scripts by setting the "Content-Type" header to an accepted type (e.g. "image/jpeg").

The vulnerability is confirmed in a version downloaded 2008-10-27. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
Dentrasi

Original Advisory:
http://milw0rm.com/exploits/6830

Release Date: 2008-10-27

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Unpatched


Software: KVIrc 3.x

Description:
Gjoko 'LiquidWorm' Krstic has discovered a vulnerability in KVIrc, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a format string error while processing URIs and can be exploited e.g. by tricking a user into opening a specially crafted "irc://" URI.

Successful exploitation may allow execution of arbitrary code, but requires that KVIrc is the default handler for IRC URIs.

The vulnerability is confirmed in version 3.4.0 on Windows. Other versions may also be affected.

Solution:
Do not follow untrusted links or browse untrusted websites.

Provided and/or discovered by:
Gjoko 'LiquidWorm' Krstic

Original Advisory:
http://milw0rm.com/exploits/6832

Release Date: 2008-10-27

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: tlNews 2.x

Description:
X0r has discovered a vulnerability in tlNews, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the application allowing access to the admin interface by checking if a certain cookie exists. This can be exploited to gain administrative access to the application by creating the cookie "tlNews_login" and assigning it the value "admin".

This vulnerability is confirmed in version 2.2. Other versions may also be affected.

Solution:
Ensure that proper access restrictions are implemented.

Provided and/or discovered by:
X0r

Original Advisory:
http://milw0rm.com/exploits/6836

Release Date: 2008-10-27

Critical:
Moderately critical
Impact: Exposure of sensitive information
Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: SFS Ez Forum

Description:
Hurley has reported a vulnerability in SFS Ez Forum, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "forum" parameter in forum.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Hurley

Original Advisory:
http://milw0rm.com/exploits/6843

Release Date: 2008-10-27

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: PozScripts Classified Auctions

Description:
Hussin X has reported a vulnerability in PozScripts Classified Auctions, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in gotourl.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Hussin X

Original Advisory:
http://milw0rm.com/exploits/6839

Release Date: 2008-10-27

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Kasra CMS

Description:
G4N0K has reported two vulnerabilities in Kasra CMS, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "cont" and "shme" parameters in index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieval of administrator usernames and password hashes.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
G4N0K

Original Advisory:
http://milw0rm.com/exploits/6837

Browser vuln enables website impersonation

By Dan Goodin in San Francisco ? Get more from this author

Posted in Security, 26th October 2008 20:17 GMT

Google's Chrome browser has been marred by yet another vulnerability, this one allowing attackers to impersonate websites of groups like the Better Business Bureau, PayPal or, well, Google.

Researcher Liu Die Yu of the TopsecTianRongXin research lab in Beijing says the spoofing vulnerability is the result of faulty code inserted by programmers from the Mountain View, California search behemoth.

"I don't see Apple Safari vulnerable in the same way," he writes in an email to The Register. "They share the same engine(webkit)."

More: http://www.theregister.co.uk/2008/10/26/google_chrome_address_spoofing/

27 October 2008

The first vulnerability for the Android based T-Mobile G1 has been disclosed, only a few days after T-Mobile put the long awaited device on sale. Security experts from Independent Security Evaluators (ISE) found a serious security risk in the software developed for it by Google. A visit to a crafted web site with an Android mobile phone could enable an attacker to inject his own code and run it. ISE claims to have developed a reliable exploit to take advantage of this vulnerability and says the cause of the problem is that Google used an outdated version of a particular open source package, but as yet it has not yet given more details.

More: http://www.heise-online.co.uk/security/Android-mobile-has-a-security-vulnerability--/news/111792

27 October 2008

Sun Microsystems has reported a security problem with its Java System LDAP Java Development Kit. The problem allows local unprivileged users to gain to access unauthorised information when using applications built with the LDAP JDK. The problem is caused by a flaw in the search feature of the LDAP JDK.

According to the vendor, the hole can be exploited in LDAP JDK 4.19 for Sun Java System Access Manager 7 2005Q4, 7.1 and 6 2005Q1 (each for Solaris 8,9 and 10 as well as Red Hat Enterprise Linux 2.1). The problem also affects LDAP JDK 4.19 for HP-UX and Windows. Patches for the respective platforms resolve the vulnerability.

More: http://www.heise-online.co.uk/security/Sun-patches-Java-System-LDAP-JDK--/news/111794

Multiple vendors' web browsers are prone a cross-site scripting vulnerability that arises because the software fails to handle specially crafted files served using the FTP protocol.

Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible.

More: http://sunbeltblog.blogspot.com/index.html

27 Oct. 2008

Summary
File::Find:bject is "an object-oriented and iterative replacement for File::Find. I.e: it is a module for traversing a directory tree, and finding all the files contained within it programatically". A format string vulnerability in File-Find-Object allows local attackers to cause the program to execute arbitrary code by causing the product to go into a loop where it will try and print out the looping directory without providing a format string.

Credit:
The information has been provided by Shlomi Fish.

http://www.securiteam.com/unixfocus/6S00L20MUE.html

Opera scrambles to quash zero-day bug in freshly-patched browser

Multiple platform pwnage

By Dan Goodin in San Francisco

27th October 2008

Just a few days after Opera Software patched critical vulnerabilities in its browser, researchers have identified another serious bug that allows attackers to remotely execute malicious code on the machines of people running the most recent version of the software. Opera has vowed to fix the flaw soon.

Among the bugs squashed in Opera 9.61 was a stored cross site scripting (XSS) vulnerability that allowed attackers to view victims' browsing history. That attack is no longer possible, but now researchers have discovered an even more serious exploit that's based on the same weakness.

Simply viewing a booby-trapped webpage with Opera is all that's required to run code of an attacker's choosing on a machine. Researcher Aviv Raff shared a link with us that caused our Windows machine to load the calculator, but certainly less benign exploits are possible as well. The attack works on OS X and Linux machines as well, he says.

More: http://www.theregister.co.uk/2008/10/27/zero_day_opera_bug/

added October 27, 2008 at 08:16 pm

Microsoft has released Security Advisory 958963 to alert users that exploit code is publicly available for the Windows Server Service vulnerability addressed in Microsoft Security Bulletin MS08-067. The advisory states that this exploit code has demonstrated arbitrary code execution on Windows 2000, XP and Server 2003.

US-CERT encourages users and administrators to review Microsoft Security Advisory 958963 and apply the update or workarounds listed in Microsoft Security Bulletin MS08-067 to help mitigate the risks.

Additional information regarding the Windows Server Service vulnerability is available in:


More: http://www.us-cert.gov/current/current_activity.html#microsoft_releases_security_advisory_958963